Access Request & Provisioning Agent

AgentKit released the Access Request & Provisioning Agent, an open-source blueprint under Apache-2.0 that validates access requests against policy, separation-of-duties, and risk scoring before provisioning or escalating. The agent enforces least privilege by default, blocks toxic combinations, and never auto-grants sensitive access, instead escalating exceptions with a full audit trail. It is governed by the AgentAz specification, which documents trust levels, tool boundaries, and human handoff triggers for security review.

Overview Validate → policy-check → SoD → risk-score → provision or escalate: turns an access request into a safe, policy-grounded outcome. Least privilege by default: it grants only the standard, low-risk access a role clearly warrants, and nothing more. Separation-of-duties aware: it blocks grants that would create a toxic combination e.g. create-vendor + approve-payment . Defensive: never auto-grants privileged/production/sensitive access, prefers time-bound grants, and escalates exceptions with a full audit trail. AgentAz™ specification A lightweight, design-time governance spec for security review. It documents what this agent is authorized to do — and why — and pairs with whatever policy engine you already run. It does not enforce anything at runtime. Machine-readable contract agentaz.json , validated against the open AgentAz™ JSON Schema — bundled for offline use and published at a permanent URL: { "$schema": "./agentaz.schema.json", "version": "2.0.0", "last reviewed": "2026-06-24", "agent id": "access-request-agent", "trust level": "A3", "dna pattern": "Planning", "worst case action": "Prepares an incorrect access change for human approval. Cannot grant or revoke access.", "authority boundary": "Prepares access changes against policy for approval; provisioning tools absent.", "tags": "security", "iam", "access-request", "human-approval" , "tool boundary": { "allowed tools": "read request", "check policy", "prepare change", "summarize" , "execution tools absent": true }, "output boundary": { "format": "structured json", "never emits": "grant access", "revoke access", "provisioning write" }, "cost boundary": { "max usd per trace loop": 0.25, "alert threshold usd": 0.16 }, "loop boundary": { "max reasoning turns": 8 }, "human handoff": { "triggers": "sensitive resource", "policy ambiguous", "low confidence" , "destination": "access owner" }, "audit": { "append only": true, "logs": "request", "policy check", "prepared change", "approvals" } } New to this? Read the AgentAz specification guide /agentaz-specifications — Trust Levels, DNA patterns, and how it complements your runtime. This is a flagship reference blueprint for AgentAz v1.0.0. AgentAz™ is open source under Apache-2.0 https://www.apache.org/licenses/LICENSE-2.0 spec text under CC‑BY‑4.0 — schema and source on GitHub https://github.com/agent-kits/agentaz . Governance matrix A scannable summary of this blueprint's governance coverage, derived from its AgentAz™ specification. It documents the boundaries that already ship — not new functionality. | Agent goal | Bounded by the authority spec above | |---|---| | Trust Level | A3 — Human-Approved | | Tool access | Least privilege — execution tools absent read-only | | Context handling | Grounded in provided inputs; cites or flags rather than guessing | | Memory strategy | Task-scoped; no persistent cross-session memory | | Human approval | Required on sensitive resource, policy ambiguous, low confidence → access owner | | Audit trail | Append-only log request, policy check, prepared change, approvals | | Cost & loop bounds | ≤ $0.25 per loop · ≤ 8 reasoning turns | | Recovery / escalation | Escalates to access owner | Agent component mapping A framework-neutral view of how this blueprint maps to standard agent-architecture components the vocabulary common to ADK-style frameworks . It describes structure for clarity — not an official integration or certified compatibility. | Agent | Primary reasoner — Human-Approved authority A3 | |---|---| | Tools | read request, check policy, prepare change, summarize — execution tools absent read-only | | Memory | Task-scoped working context; no persistent cross-session memory | | Guardrails | Worst-case classified A3 ; no execution tools; ≤ $0.25/loop · ≤ 8 turns | | Evaluator | Confidence and authority-boundary checks; low-confidence or out-of-bounds results are flagged, not actioned | | Handoff | Escalates to access owner on sensitive resource, policy ambiguous, low confidence | Failure modes Specific ways this blueprint can fail, and how it is designed to detect, contain, and recover from each — the boundaries that make it safe to run, stated plainly. Prepares an over-privileged grant — more access than the request needs. - Detection - The request is compared to a role baseline; privilege escalation is flagged. - Mitigation - The agent prepares only; a human approves, with a least-privilege check. - Recovery - The approver rejects it and a right-sized grant is prepared. Decides against a stale policy. - Detection - The policy version is checked at decision time. - Mitigation - Access is never granted autonomously. - Recovery - The request is re-evaluated against the current policy. A segregation-of-duties conflict slips through. - Detection - A segregation-of-duties ruleset is checked and conflicts are flagged. - Mitigation - Conflicts are flagged for a human and never auto-approved. - Recovery - The case is routed to the access owner; it is denied or the exception is logged. Evaluation Least-privilege correctness matters most — whether the prepared grant matches the minimal access the request warrants — because over-provisioning is the silent risk. | Decision agreement | Agreement of the prepared grant or deny with an access owner's decision. | |---|---| | Least-privilege accuracy | Share where the proposed scope matches the minimal necessary, with no over-provisioning. | | SoD-conflict recall | Of segregation-of-duties conflicts present, the share it flags. | | Escalation rate | How often it correctly routes exceptions to a human. | | Latency | Time to a prepared decision. | Recommended approach. Replay historical access requests with known correct outcomes and role baselines; measure agreement, over-provisioning rate, and SoD-conflict recall. Approvals always remain human during evaluation. When to use Use it when - Your IT/helpdesk queue is full of routine access requests that follow role-based policy. - You have an entitlement/role policy and identity data role, department, manager the agent can check against. - You want consistent least-privilege provisioning with separation-of-duties enforcement and a clean audit trail. - You want to auto-handle standard low-risk grants while routing privileged and sensitive ones to humans. Avoid it when - You expect it to grant admin, production, or sensitive-data access autonomously — it must not. - You have no role/entitlement policy for it to ground decisions in. - You can't integrate approval verification, so it would have to assume approvals. - You can't keep human review on privileged and exception requests. System prompt You are an Access Request & Provisioning Agent in an IT/security workflow. You process ONE access request: validate it, check policy, enforce least privilege and separation-of-duties, and either provision standard low-risk access or escalate. You are judged on safe, correct, least-privilege provisioning and on never granting access that should have gone to a human. == CORE PRINCIPLES == 1. Least privilege by default. Grant the minimum access the person's role clearly warrants for the stated need — never more. Prefer time-bound / just-in-time grants over standing access. 2. Policy-grounded. Base every decision on the entitlement/role policy and verified identity data role, department, manager . Cite the policy basis. Do not invent entitlements. 3. Verify, don't assume. Confirm the required approvals and justification actually exist. Never fabricate or presume an approval. == HARD RULES NON-NEGOTIABLE == - NEVER AUTO-GRANT HIGH-RISK ACCESS: Admin/privileged roles, production system access, sensitive/regulated data, security tooling, or anything outside the requester's standard role MUST be escalated for human approval — never auto-provisioned. - SEPARATION OF DUTIES: Block any grant that creates a toxic combination e.g. create-vendor + approve-payment, develop + deploy-to-prod, request + approve . Flag the conflict and escalate. - APPROVAL REQUIRED WHERE POLICY SAYS: If policy requires manager and/or resource-owner approval, verify it's present before provisioning. Missing approval = escalate, not grant. - AUDIT EVERYTHING: Every decision grant or deny is logged with the policy basis, approvals, and risk rationale. - NO FABRICATION: Never invent an entitlement, role, approval, or justification. If data is missing, request it or escalate. == METHOD == - Validate the request and resolve the requester's identity role, dept, manager . - Look up the entitlement policy for the requested access; determine if it's standard for the role. - Run a separation-of-duties check against the requester's existing access. - Score access risk privilege level, data sensitivity, production scope, blast radius . - Verify required approvals. Then decide. == DECISION POLICY calibrated confidence 0.0-1.0 == - AUTO PROVISION: standard, low-risk, role-appropriate access; no SoD conflict; required approvals present; confidence = 0.85. Grant least-privilege time-bound if supported . - REQUEST INFO: missing justification or approval — state exactly what's needed; do not grant. - ESCALATE: privileged/production/sensitive access, SoD conflict, out-of-role request, or any uncertainty. Route to security/owner with the findings. == COST CONTROL == Look up only the policy and identity data this request needs; reuse what's loaded. Cap tool calls; if exceeded, escalate with current findings. == OUTPUT FORMAT return ONE JSON object == { "request id": "<id ", "requester role": "<role/dept ", "requested access": "<resource + level ", "risk": "low|moderate|high", "policy basis": "<entitlement rule cited ", "sod conflict": "<conflict description, or 'none' ", "approvals": "<present/required/missing ", "decision": "AUTO PROVISION|REQUEST INFO|ESCALATE", "grant": { "access": "<least-privilege grant ", "time bound": "<expiry, or 'standing' ", "applied": <bool }, "actions": { "tool": "<tool ", "args": { ... }, "requires approval": <bool } , "requester note": "<clear status message ", "escalation": { "needed": <bool , "to": "security|resource owner|manager|none", "reason": "<why, or empty " } } If access is privileged/production/sensitive, or any SoD conflict exists, decision must be ESCALATE — never AUTO PROVISION. Simulate run Try the agent with a sample task. This is a frontend-only preview that shows how the kit would plan and execute — no API calls, nothing leaves your browser. Frontend preview only — no data leaves your browser. Tip: press ⌘/Ctrl + Enter to run. Setup guide Install and connect IAM/ITSM Install the agent and connect it to your identity provider and ticketing. pipx install access-request-agent access-request-agent connect --idp okta --itsm servicenow access-request-agent doctor verifies least-privilege provisioning scope Configure guardrails What may auto-provision. Privileged/sensitive/production access never can. Enforced outside the model. cp .env.example .env ANTHROPIC API KEY=sk-ant-... AUTO PROVISION ONLY: { risk: "low", role standard: true, approvals: "present" } NEVER AUTO: "admin", "production", "sensitive data", "security tooling" PREFER TIME BOUND=true Load entitlement policy & SoD rules Define standard role entitlements and the toxic combinations to block. access.yml roles: engineer: { standard: "repo:read", "ci:read", "dev-db:read" } sod conflicts: - "vendor:create", "payment:approve" - "code:develop", "prod:deploy" privileged: " :admin", "prod: ", "pii: " Dry-run on past requests Replay historical requests to confirm it never auto-grants privileged access or SoD conflicts. access-request-agent backtest --range 60d --explain reports auto-provision/escalate decisions; privileged auto-grants must be 0 Wire into the request flow Route access requests to the agent; privileged/sensitive/SoD requests auto-route to security. php access request ticket - POST https://your-host/access/handle HMAC decision=ESCALATE auto-assigns to the security queue Architecture Tools required Workflow 1. Validate the request Capture the requester, resource, level, and justification, and resolve identity role, dept, manager . 2. Check entitlement policy Look up the role-based policy for the requested access and determine whether it's standard or an exception. 3. Run separation-of-duties Compare against existing access for toxic combinations; a conflict blocks auto-provisioning. 4. Score access risk Rate privilege, data sensitivity, production scope, and blast radius to choose the path. 5. Verify approvals Confirm required approvals and justification exist; missing approval means request-info or escalate, never grant. 6. Provision or escalate Auto-provision only standard, low-risk, role-appropriate access least-privilege, time-bound if possible ; escalate privileged/sensitive/SoD cases. 7. Audit Log every decision with the policy basis, approvals, and risk rationale for review and access certification. Examples Standard role-based access, approved → auto-provision least privilege An engineer requests read access to a dev tool their role normally has, with manager approval. Low risk, in-policy. Input Request REQ-5512: engineer requests read access to the staging dashboard. Role policy lists staging:read as standard for engineers. Manager approval present. Output { "request id": "REQ-5512", "requester role": "Engineer / Platform", "requested access": "staging-dashboard:read", "risk": "low", "policy basis": "entitlement: 'staging:read' is standard for the Engineer role", "sod conflict": "none", "approvals": "present manager approved ", "decision": "AUTO PROVISION", "grant": { "access": "staging-dashboard:read", "time bound": "standing", "applied": true }, "actions": { "tool": "provision access", "args": { "user": "REQ-5512.requester", "access": "staging-dashboard:read" }, "requires approval": false } , "requester note": "Your request for read access to the staging dashboard has been provisioned. It matches your role's standard access and your manager approved it.", "escalation": { "needed": false, "to": "none", "reason": "" } } Note: The routine grant the kit clears instantly: read-only, standard for the role, manager-approved, no SoD conflict. It provisions exactly the least-privilege access requested read, not write and cites the policy basis. This is the volume that should never need a human. Production/admin access requested → never auto-grant, escalate A developer requests admin access to a production database. Regardless of approval, the high-risk rule forces escalation. Input Request REQ-5570: developer requests admin write access to the production payments database, justification 'need to debug an issue'. Output { "request id": "REQ-5570", "requester role": "Engineer / Payments", "requested access": "prod-payments-db:admin write ", "risk": "high", "policy basis": "prod: and :admin are privileged — not standard for the Engineer role", "sod conflict": "none", "approvals": "manager approval present; resource-owner approval NOT present", "decision": "ESCALATE", "grant": { "access": "", "time bound": "", "applied": false }, "actions": { "tool": "escalate to security", "args": { "to": "security+db owner", "priority": "high" }, "requires approval": false } , "requester note": "Your request for admin access to the production payments database needs security review — production and admin access can't be auto-granted. In the meantime, consider whether time-bound read access or a break-glass procedure would address the debugging need.", "escalation": { "needed": true, "to": "security", "reason": "Privileged admin access to a production payments database — high risk, requires security + resource-owner approval; suggest least-privilege/time-bound alternative." } } Note: Even with manager approval and a plausible reason, production + admin access is privileged and high-risk, so it's never auto-granted. The agent escalates to security and the DB owner and proactively suggests a least-privilege alternative time-bound read, break-glass — pushing toward minimal access rather than just relaying the request. Separation-of-duties conflict → block and escalate Someone who can already create vendors requests payment-approval access. Granting it would create a fraud-enabling toxic combination. Input Request REQ-5604: a finance ops user with existing 'vendor:create' access requests 'payment:approve' access. Output { "request id": "REQ-5604", "requester role": "Finance Ops", "requested access": "payment:approve", "risk": "high", "policy basis": "payment:approve is grantable to the role, BUT SoD policy forbids it combined with existing access", "sod conflict": "Requester already holds 'vendor:create'; combining with 'payment:approve' violates SoD one person could create a vendor and approve its payments ", "approvals": "manager approval present", "decision": "ESCALATE", "grant": { "access": "", "time bound": "", "applied": false }, "actions": { "tool": "escalate to security", "args": { "to": "security+finance controls", "conflict": "vendor:create + payment:approve" }, "requires approval": false } , "requester note": "This request can't be auto-approved: combining payment-approval with your existing vendor-creation access would violate separation-of-duties controls. Finance controls/security will review options e.g. removing one entitlement or adding a second approver .", "escalation": { "needed": true, "to": "security", "reason": "Separation-of-duties conflict: vendor:create + payment:approve on one identity enables fraud; needs controls review." } } Note: The defining control: 'payment:approve' is grantable on its own and the manager approved it — but the requester already holds 'vendor:create', and that combination is a classic fraud-enabling toxic pair. The SoD check catches what a naive entitlement lookup would miss, blocks the grant, and escalates to finance controls with the exact conflict named. Implementation notes - Default to least privilege and time-bound/just-in-time grants; standing privileged access is the thing this agent exists to avoid handing out. - Enforce the 'never auto-grant privileged/production/sensitive' rule and the SoD check in a deterministic gate — these are security controls, not model preferences. - Run separation-of-duties against the requester's existing access, not just the new request; toxic combinations are invisible if you only look at one entitlement. - Verify approvals actually exist before provisioning; a missing resource-owner approval is an escalation, never an assumption. - Log every decision with policy basis, approvals, and risk for access certification and audit — this is also what makes the agent defensible to security review. - Have the agent suggest least-privilege alternatives time-bound read, break-glass when escalating high-risk requests, rather than just relaying them. - Spend the strong model on risk and SoD judgment — a cheaper model can resolve identity and look up policy. Variations Basic Request triage assistant Validates the request, checks policy and separation-of-duties, scores risk, and recommends grant/escalate for an IT analyst. No autonomous provisioning. Advanced Guarded auto-provisioning Auto-provisions standard low-risk, role-appropriate access least-privilege, time-bound with approval verification, and escalates privileged/sensitive/SoD-conflict requests. Enterprise Governed access automation Adds IGA/IAM integration, role-mining and entitlement catalogs, JIT access, full audit and access-certification support, and policy tuning — privileged access always human-approved. Download the Agent Blueprint Download Blueprint .zip /downloads/access-request-handler.zip Export View the source on GitHub https://github.com/agent-kits/agentaz/tree/main/kits/access-request-handler This flagship blueprint and the AgentAz™ specification live in the central AgentKits registry — open source under Apache-2.0 code & schema and CC‑BY‑4.0 text . Frequently asked questions Never. Privileged roles, production access, sensitive/regulated data, and security tooling are always escalated for human approval. It only auto-provisions standard, low-risk, role-appropriate access. It grants the minimum access the role clearly warrants for the stated need — read instead of write where that suffices — and prefers time-bound/just-in-time grants over standing access, citing the policy basis each time. Before granting, it compares the request against the requester's existing access to catch toxic combinations like create-vendor + approve-payment, or develop + deploy-to-prod . Any conflict blocks auto-provisioning and is escalated. No. It verifies that required manager/resource-owner approvals and justification actually exist. Missing approval means it requests it or escalates — it never fabricates or presumes an approval. Yes. Every grant or denial is logged with the policy basis, the approvals, and the risk rationale, which supports access certification and security review. Start in advise mode where it recommends, backtest on past requests to confirm it never auto-grants privileged access or SoD conflicts, then enable auto-provisioning for standard low-risk requests.